Hello.
I've got several services authenticating against a Samba AD DC via
"saslauthd -a ldap"
This works perfectly from the users' point of view.
However I often find failures in the logs:
saslauthd[89676]: ldap_simple_bind() failed -1 (Can't contact LDAP server).
saslauthd[89676]: Retrying authentication
This happens hundreds of times a day.
Almost surely retrying succeeds, as no user ever complained.
I tried getting some logs from Samba, but was not able to.
I ran saslauthd in debug mode and, when the above happens, this is what
I see:
TLS certificate verification: Error, unable to get local issuer certificate
TLS certificate verification: Error, unable to verify the first certificate
Any hint?
Why would either saslauthd or the openldap client library fail occasionally?
Since I'm using a stateful firewall, I though perhaps connections time
out, but disabling it did not help.
My saslauthd.conf:
ldap_servers: ldap://x.x.x.x/
ldap_bind_dn: cn=xxx,cn=Users,dc=xxx,dc=xxx,dc=xxx
ldap_password: XXXXXXXX
ldap_start_tls: yes
ldap_search_base: cn=Users,dc=xxx,dc=xxx,dc=xxx
ldap_tls_cert: /.../cert.pem
ldap_tls_key: /.../key.pem
ldap_filter: (sAMAccountName=%u)
ldap_scope: sub
ldap_debug: 100
ldap_verbose: on
ldap_tls_check_peer: no
My ldap.conf:
TLS_CACERT /.../cert.pem
TLS_CERT /.../key.pem
TLS_REQCERT allow
ssl_check_cert off
bye & Thanks
av.
_______________________________________________
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
